Autres informations et services du gouvernement : www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Remote Code Execution in Ivanti EPMM Endpoint Manager Mobile, Patch Immediately!

Image
Decorative image
Publié : 30/01/2026
  • Last update: 05/02/2026
  • Affected software: EPMM Endpoint Manager Mobile versions 12.7.0.0, 12.6.0.0, 12.5.0.0, and prior
  • Type: Remote Code Execution
  • CVE/CVSS
    → CVE-2026-1340: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

    → CVE-2026-1281: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Ivanti - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US

Risks

Newly discovered vulnerabilities in Ivanti EPMM Endpoint Manager Mobile allows attackers to execute unauthorized code, potentially exposing sensitive company data and disrupting operations.

EPMM is a Unified Endpoint Management (UEM) platform designed to secure and manage mobile devices, applications, and content.

If exploited, this could lead to data breaches, system compromise, and operational downtime impacting confidentiality, integrity, and availability of critical businesses.

As of 05/02/2026, there is credible information that both vulnerabilities CVE-2026-1281 & CVE-2026-1340 are actively being exploited. This has been confirmed by both Ivanti and CISA. Ivanti has updated their official advisory.

Threat actors have been observed erasing logging data on Ivanti systems and implementing a backdoor in memory. During post exploitation, the threat actors execute commands to collect and exfiltrate data. Please note that patching is not enough, an investigation needs to take place to rule out potential compromise.

Description

Two critical security vulnerabilities, CVE-2026-1281 & CVE-2026-1340 have been identified in Ivanti Endpoint Manager Mobile (EPMM) versions 12.7.0.0, 12.6.0.0, 12.5.0.0, and prior. This flaw arises from code injection, a type of vulnerability that allows attackers to inject and execute malicious code into an application, potentially leading to full system compromise. 

In affected versions, an attacker can exploit this vulnerability via the In-House Application Distribution and Android File Transfer Configuration features, leading to unauthenticated remote code execution.

Recommended Actions

Patch

  • Please apply the relevant patch. Upgrade to the most recent version. Note that Ivanti modified their advisory yesterday (4 February 2026).
  • Assume compromise and launch an investigation. Threat actors have been observed exploiting this zero-day prior to the patch release to implement a backdoor in memory and erase logs. Even if you have patched to the most recent firmware version, there may be a backdoor on your systems.

Additionally, the CCB recommends to:

  • Patch all vulnerable appliances after thorough testing.
  • Change the passwords for all accounts on the system.
  • Renew private keys in use on the system.
  • Start a forensic analysis to rule out a potential compromise and check both image and memory dumps.
  • Monitor the internal traffic originating from the traffic to control for possible lateral movement.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

HelpNetSecurity - https://www.helpnetsecurity.com/2026/01/30/ivanti-epmm-cve-2026-1281-cve-2026-1340/